Test-Prep Flashcards
Which of the following is BEST represented by encrypting a message with a private key and having the message decrypted with the matching public key? A. Knapsack problem B. Zero-knowledge proof C. Key escrow D. Elliptic curves
Answer: B In cryptography, zero-knowledge proof can be represented by encrypting something with your private key. To decrypt something that was encrypted using a private key, you will need to use the corresponding public key. In this case, you know that the item was encrypted using the private key, but you never actually view or are given the public key. Only the owner of the private key can prove they have the key.
Which option refers to the component of the XML Key Management Specification 2.0 (XKMS 2.0) used for defining the protocols needed to register public key information? A. X-KISS B. XML-SIG C. XML-Enc D. X-KRSS
Answer: D XKMS 2.0 has two key components: XML Key Registration Service Specification (X-KRSS) and XML Key Information Service Specification (X-KISS). The X-KRSS specification defines the protocols needed to register public key information. X-KRSS can generate the key material, making key recovery simpler than when created manually. Applications can be coded to bind information, such as a me or identifier, to a public key. Once registered, the key can be used with X-KISS or a Public Key Infrastructure (PKI).
Which option should be addressed by the governance of cryptographic algorithms and systems at a minimum? A. Transition plans for replacing outdated keys B. The top web application security flaws and how they can be mitigated C. Industry-recommended cryptographic algorithms D. All keys that have been issued by the system
Answer: A All cryptographic algorithms and protocols eventually age and become compromised. IS professionals must test the cryptographic systems of their organization and replace the systems that are outdated. The governance of cryptographic algorithms and systems should address the following at a minimum: Transition plans for replacing outdated algorithms and keys Procedures for the use of cryptographic systems Approved cryptographic algorithms and key sizes Key generation, escrow, and destruction guidelines Incident reporting guidelines
Which is typically the NEXT step in the public key infrastructure (PKI) process after a digital certificate is requested by a user? A. The request is sent to the CA. B. The certificate is generated by the CA. C. The private and public key pair is created on the user’s machine. D. Identity information is processed by the RA.
Answer: D PKI is a set of policies, processes, server platforms, software, and workstations to administer certificates and public-private key pairs. PKI has the ability to issue, maintain, and revoke public key certificates. PKI provides security services for confidentiality, integrity, authentication, nonrepudiation, and access control, based on using private and public key cryptography. The key pairs are obtained through a trusted authority, a certificate authority (CA), and this enables PKI to provide digital certificates. When making a request for a digital certificate, there is a series of steps that are performed. After making the request for the certificate, the next step is for identity information to be processed. This is typically performed by a registration authority (RA) but can be performed by a CA if an RA is not being used. Once the certificate request is received by the RA, it requests identification information from the user that sent the request and verifies this information.
Which security standard consists of five principles and seven enablers? A. ISO/IEC 27001:2005 B. ITSEC C. COBIT version 5 D.ISO/IEC 15408
Answer: C Control Objects for Information and Related Technology (COBIT) is a security standard model that is mainly used as the basis for the integration of security in a company. COBIT version 5 consists of five principles and seven enablers.
Which statement is NOT true in relation to asymmetric cryptography? A. It has better key distribution than symmetric systems. B. It provides confidentiality but not authenticity or non-repudiation. C. It works much more slowly than symmetric keys. D. It has better scalability than symmetric systems.
Answer B. The ability to provide confidentiality, but not authenticity or non-repudiation is a weakness of symmetric key cryptography, not asymmetric key cryptography. In fact, one of the strengths of asymmetric cryptography is its ability to provide confidentiality, authentication, and non-repudiation.
Which component of an organization’s security program should management use to mandate that all employees wear photo ID badges, and that they are visible at all times? A. Procedure B. Informative security policy C. Guideline D. Baseline
Answer: D A baseline can be a technical or non-technical security document that enforces regulations within an organization. A non-technical baseline may be used to define security requirements for employees. By establishing, documenting, and adhering to the requirements, the company is implementing a baseline of protection. reference: all-in-one page 169
Identify a characteristic of external audits. A. It takes a specified amount of time to complete B. It has a high level of validity C. It includes a follow-up meeting after the audit, to verify that recommendations have been implemented D.It is conducted several times a year
Answer: B External audits are done by an outside auditing firm. They are considered to be highly valid and credible because the auditors are impartial and have no conflict of interest with the organization.
In terms of a Service Organization Control (SOC) 2 or SOC 3 audit, which step should be performed during the audit preparation phase? A. Collect data prior to doing on-site work to expedite the audit process. B. Provide management with a draft report to review. C. Analyze the collected information off-site. D. Hold meetings to identify alternatives and remediation plans.
Answer: D The audit preparation phase involves the security professionals working with the service provider to ensure everything is in place to perform a successful audit. The audit preparation phase should include the following steps: Identify the scope of the audit and the timeframe for which it will be conducted. Consult existing documentation and management to identify the current and required controls. Conduct a readiness review and report gaps to management. List prioritized recommendations for dealing with any gaps that were identified. Hold meetings to identify alternatives and remediation plans. Ensure identified gaps have been addressed prior to starting the audit phase. Decide on the best approach to use for the audit and reporting process, based on the service provider’s requirements.
What is used to support risk management decisions within an organization by continually keeping track of key performance and risk indicators? A. NIST SP 800-30 B. FRAP C. ISO 27001 D. ISCM
Answer: D Information security continuous monitoring (ISCM) is used to support risk management decisions within an organization. It does this by continually keeping track of vulnerabilities and threats to information security by monitoring certain metrics obtained from various sources. For example, metrics related to the different security controls implemented in the organization would be tracked by ISCM.
Which statement does NOT apply to application interface testing? (difference between application Integration and Interface). A. It determines whether the components of an application are working correctly with the hardware. B. It determines whether all supported browsers have been tested. C. It determines whether the recovery mechanisms are functioning properly. D. It determines whether control is passed from one component to another correctly.
Answer: A Integration testing is performed to determine whether the combined components of an application and the hardware it is running on are working correctly, not interface testing. For example, application integration testing would be performed to ensure the software is able to properly integrate with the system’s hardware to perform the tasks for which it was designed.
What can be used for synthetic performance monitoring of a web site? A. Microsoft System Center Operations Manager B. Polyinstantiation C. Security Information and Event Management D. Sandbox
Answer: A Microsoft System Center Operations Manager can be used to create synthetic transaction tests that will monitor TCP port usage and perform transactions against web sites and databases. The synthetic transaction tests can provide information about the performance of a web site by simulating a user logging on and browsing items.
Which consideration is LEAST important when implementing a security plan for an LDAP directory service? (Think of usability and integration) A. The capacity of the service to support the strongest security products B. The ratio of read to write operations that the directory supports C. The process for replicating data between the directory and other data sources D. The type of data that the directory stores
Answer: A It is important to analyze the specific security needs of a Lightweight Directory Access Protocol (LDAP) directory before designing a security plan. The characteristics of a directory, including its intended use, interoperation with other entities in a network, and administration requirements, determine appropriate security strategies. These strategies should provide an acceptable level of security without imposing unnecessary restrictions on users. The objective of security design for an LDAP directory is to implement an appropriate level of security, rather than to implement the strongest security measures available. An overly restrictive security plan is likely to hinder users and administrators.
Which of the following emphasizes resuming and maintaining business operations in financial institutions after a disaster? A. NYSE Rule 446 B. FFIEC C. SD Rule 3510 D. Electronic Funds Transfer Act
The Federal Financial Institutions Examination Council (FFIEC) provides a booklet on creating business continuity plans (BCPs). It specifies that a financial institution’s BCP should focus on resuming and maintaining business operations, rather than just on recovering technology. It also dictates that the planning process should occur across the enterprise. It states that the foundation of a good BCP includes a thorough business impact analysis (BIA) and risk assessment and that the BCP should be tested and audited independently.
An organization requires an identity management solution that uses a remote access authentication system to store information about users and applications. Which remote access authentication system should the organization use? A. TACACS+ B. RADIUS C. LDAP D. Diameter
Answer: C Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol for network directory services. LDAP systems store information about users, network resources, file systems, and applications. LDAP is supported by all the principal directory services, such as Microsoft Active Directory, Apache Directory Server, and Novell eDirectory.
Which component of Software Defined Networking (SDN) is used to communicate network requirements to the SDN controller?
A. SDN control to data-plane interface
B. SDN application
C. SDN northbound interface
D. SDN datapath
SDN separates the network control plane from the data forwarding plane. This allows the control plane to control multiple devices. SDN applications use the SDN northbound interface (NBI) to communicate the network requirements of SDN applications to the SDN controller. The control plane can then configure the various network devices as required.
